Cloud
11/26/2013
11:06 AM
Elad Yoran
Elad Yoran
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

NSA Surveillance: First Prism, Now Muscled Out Of Cloud

Companies can no longer discount the risk of losing control of confidential corporate data in the cloud. Government data mining is here to stay, in one invasive form or another.

The latest round of stunning revelations of National Security Agency (NSA) surveillance and data mining of cloud-based services and Internet communications has added a new term to our lexicon of government spying. In addition to Prism, we now have Muscular looming over cloud adoption.

The Muscular revelations are eye opening because, according to The Washington Post, they point to a far wider scope and far more indiscriminate data capture than even the Prism revelations suggest. This collection is done by intercepting private links that connect Google and Yahoo datacenters around the world -- and decrypting the traffic that should be protected in transit. Microsoft recently testified to the European Union Parliament that the company does not encrypt its server-to-server data communications. Another reveal is the fact that this program is being operated in conjunction with the United Kingdom's NSA counterpart, the Government Communications Headquarters. This is a broad issue as governments all over the world are accessing private data in ways that are only now being made public.

Inevitably, we find ourselves asking the same set of questions we did when reports of Prism emerged. But now there is an added twist: Is there any way to protect the privacy of cloud data, and, in fact, any point in encrypting data with the range of technical tools and programs at the NSA's disposal? We've learned of cloud service providers being compelled or cajoled to hand over the keys for encryption of data at rest. Does Muscular mean we are seeing the value of encryption of data in transit being undermined?

These new revelations certainly underscore the risk of cloud data landing in places outside enterprise controls. But we should be careful about overstating the implications for encryption technology as a whole.

First of all, the NSA has circumvented the SSL encryption process by tapping the provider's datacenter directly. The implication here is not that SSL is of no intrinsic value, but rather that evaluating (and monitoring) a cloud service provider's security posture is critical. Closing the barn door after the horse has bolted is not a sustainable operating principle. Also, it's important to bear in mind that there are plenty of threats (as well as compliance mandates) where SSL for encryption of data in transit has its uses.

However, the Muscular revelations bring home the fact that SSL serves to encrypt data in transit, but not the data itself.

Hoovering up data
Many of the enterprises we speak to understand that, in terms of current legislation, there is broad leeway for the NSA to Hoover up data -- and that technology will only provide a partial answer. As much as anything, changes in policy, process, and oversight are needed for enterprises to embrace cloud computing without putting their confidentiality, privacy, or compliance at risk.

Without direct knowledge of the NSA's inner workings, no cryptography expert is willing to rule out the notion that the agency has developed encryption-cracking capabilities. However, in order to crack common data encryption standards such as AES-256 bit to yield just a single key, the agency must have made exponential leaps in its abilities and computing capacity.

Instead, Muscular revelations point to the need for businesses to work with cloud service providers that adhere to third-party security frameworks -- and not simply assert, "We got this." This is why the adherence to the Cloud Security Alliance's Cloud Control Matrix should be the first order of business for any enterprise evaluating a cloud service provider.

As Gartner director Heidi Wachs points out in a company blog post, "If we're going to address the privacy issues associated with cloud computing, then we need to start by accepting the current state of play and figure out how to enhance and strengthen it moving forward."

So what remedies are open to enterprises that want to embrace the cloud? According to Wachs:

We can protect data privacy better through contracts with enhanced privacy protections, applying increased security controls, and increasing transparency with regards to data handling. We need to have open, frank negotiations with cloud service providers to clearly establish where data is being stored, how it is being protected, who is accessing it, how it is being used for marketing purposes or resold to third parties, and how it is being destroyed.

Ultimately, corporate data in the cloud is still exposed to any government's tools or its ability to twist cloud service providers' arms to hand over corporate data. Therefore, we need not only to separate out the need to address these programs through policy debate, but also to define steps that organizations can take directly to retain ownership and control of their data.

Bottom line: Enterprises absolutely must maintain direct ownership and control of their encryption keys and encrypt their data in all three states -- at rest, in transit, and in use. Any business not willing to take these steps should keep its data on the premises.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RussellWalker
50%
50%
RussellWalker,
User Rank: Apprentice
11/26/2013 | 1:56:37 PM
Here! Here!
The lazy buyer will make the hacker (legal or not) a happy person.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/27/2013 | 8:10:37 AM
Re: Here! Here!
Thanks for the heads up about Muscular, Elad. Gartner offers some good advice about the importance of strong CSP contracts that include privacy protections and apply increased security control and transparency for data handling. But I wonder how willing CSPs are to engage in these discussions? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report